Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2603
Views
0
Helpful
3
Replies

ISE ERS API Limited Access

Go to solution
lukeberkheiser
Level 1
Level 1

‎04-16-2021 07:56 AM

Hello,

 

We have certain teams that have very limited ISE GUI permissions for both Menu and Data. The purpose is to give them as simple an interface as possible but enable them to add/edit/delete endpoints that will have access to their specific network. Their Data Access permissions are limited to a single Endpoint Identity Group. 

 

I'm wondering if there is a way to also give these specific users access to the ERS API, but with the same limited permissions. Are users in the ERS Operator or ERS Admin group also limited to the Data Permissions for the GUI, or do they have access to everything on ISE, either Read-Only or Read & Write? Or is there another way to limit their access?

 

Thanks,

Luke

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee

‎04-18-2021 06:27 PM

The ERS Admin and ERS Operator groups have no Menu Access Permissions (and cannot be customised) so admin users associated with these groups cannot login to the GUI.

There is currently no full RBAC functionality for the REST API to limit access to ERS admins/operators. Although we cannot discuss roadmap on this forum, it is likely that future versions of ISE will provide feature enhancements around RBAC for the REST API.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Marcelo Morais
VIP
VIP

‎04-16-2021 05:39 PM

Hi @lukeberkheiser,

 take a look at: Introduction to ERS API - 2.7, check the prerequisites ...

"Prerequisites for Using the External RESTful Services API Calls
You must fulfill the following prerequisites before invoking an External RESTful Services API call:
• You must have enabled External RESTful Services from the GUI.
• You must have External RESTful Services Admin privileges.
You can use any REST client like JAVA, curl linux command, python or any other client to invoke External RESTful Services API calls."

 

Hope this helps !!!

0 Helpful

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee

‎04-18-2021 06:27 PM

The ERS Admin and ERS Operator groups have no Menu Access Permissions (and cannot be customised) so admin users associated with these groups cannot login to the GUI.

There is currently no full RBAC functionality for the REST API to limit access to ERS admins/operators. Although we cannot discuss roadmap on this forum, it is likely that future versions of ISE will provide feature enhancements around RBAC for the REST API.

0 Helpful

Go to solution
lukeberkheiser
Level 1
Level 1
In response to Greg Gibbs

‎04-18-2021 11:06 PM

Thank you for the information Greg

0 Helpful
Customers Also Viewed These Support Documents